Hi, We are having intermittent squid NTLM authentication issues. Some user accounts fail to authenticate continuously while most account Works correctly. Our setup uses NTLMSSP as it primary method and falls back to basic. The user can enter in their DOMAIN\username and successfully use the internet So it seems to be a problem with NTLMSSP The client is passing on the NTLM information, but still get denied. I have captured a both a failing request and successful request, both below Appart from header orders, I cannnot see major differences between each request. Sorry for the long post, but I have been looking into this for a while, and this is All the info I think is required to see my problem Thanks Adam Clark Network Administrator National Gallery of Victoria 180 St Kilda Rd Melbourne, Vic, 3004 ======================================= Squid -v ======================================= Version 2.5.STABLE3 configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT,winbind --enable-ntlm-auth-helpers=SMB,winbind,fakeauth --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group ,winbind_group --enable-auth=basic,ntlm --enable-useragent-log --enable-referer-log This the latest package for enterprise server 3, so they have back ported all sorts of patches from newer stable releases. They are listed in the change log, so I can get this information if required. I thought the bolow bugfix may have been related, but the update didn't help: 02-MAR-05 Jay Fenlason <fenlason@xxxxxxxxxx> 7:2.5.STABLE3-6.3E.9: - Correct the -libntlmssp patch to correct an off-by-one error that prevented the helper from passing the username to squid. This closes bz#139684 ============================================== [root@pthalo aclark]# smbd -V ============================================== Version 3.0.9-1.3E.3 [global] workgroup = BOH server string = printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = ads socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes realm = BOH.NGV.LOCAL winbind use default domain = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes ================================================= Below is the configuration for out squid setup: ================================================== http_port 8080 cache_peer localhost parent 3128 7 no-query default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 128 MB maximum_object_size 1024 MB maximum_object_size_in_memory 16 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF cache_dir diskd /var/cache0 24576 16 256 Q1=72 Q2=64 cache_dir diskd /var/cache1 24576 16 256 Q1=72 Q2=64 dns_retransmit_interval 1 seconds dns_timeout 10 seconds hosts_file none auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=boh auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --domain=boh auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl SSL_ports port 8463 # Aurion ESS Service acl SSL_ports port 8445 # TrendMicro SSL ports acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl viridian src 172.16.22.120/255.255.255.255 http_access allow manager localhost http_access allow manager viridian http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl NW-INT src 172.16.0.0/12 192.168.2.0/24 acl NW-DMZ src 10.10.10.0/24 acl NW-VPN src 10.10.11.0/24 acl NW-SRV src 172.16.5.0/24 172.16.22.0/24 acl NW-SRV-DST dst 172.16.5.0/24 172.16.22.0/24 acl NW-LAB src 172.16.50.0/24 172.16.51.0/24 acl Authorized-Users proxy_auth REQUIRED acl POST method POST acl NGV_SITES url_regex -i .ngv.vic.gov.au .boh.ngv.local acl CONTROL_ROOM src 172.16.7.201/32 http_access allow localhost http_access allow NW-DMZ http_access allow NW-SRV http_access allow NW-LAB http_access allow NW-INT NW-SRV-DST http_access deny CONTROL_ROOM !NGV_SITES http_access allow POST http_access allow Authorized-Users http_access deny all http_reply_access allow all icp_access allow all cache_mgr helpdesk@xxxxxxxxxxxxxx logfile_rotate 10 always_direct allow localhost always_direct deny all never_direct deny localhost never_direct allow all coredump_dir /var/spool/squid pipeline_prefetch on ======================================================== Here is the failing conversation captured with ethereal: ======================================================== GET http://intranet.nmelb.ngv.vic.gov.au/email.html HTTP/1.0 Accept: */* Accept-Language: en-au Proxy-Connection: Keep-Alive If-Modified-Since: Fri, 29 Nov 2002 00:32:42 GMT; length=10748 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: intranet.nmelb.ngv.vic.gov.au Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogMAAwAyAAAACgAKACgAAAAFASgKAAAAD1dTMDAwMDMwNTdCT0g= HTTP/1.0 407 Proxy Authentication Required Server: squid/2.5.STABLE3 Mime-Version: 1.0 Date: Thu, 23 Jun 2005 04:16:30 GMT Content-Type: text/html Content-Length: 1407 Expires: Thu, 23 Jun 2005 04:16:30 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAASAgAAnlh//5GzpfgAAAAAAAAAAAAAAAAwAAAA X-Cache: MISS from pthalo.ngv.vic.gov.au Proxy-Connection: keep-alive <contents of: /usr/share/squid/errors/English/ERR_CACHE_ACCESS_DENIED> GET http://intranet.nmelb.ngv.vic.gov.au/email.html HTTP/1.0 Accept: */* Accept-Language: en-au Proxy-Connection: Keep-Alive If-Modified-Since: Fri, 29 Nov 2002 00:32:42 GMT; length=10748 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: intranet.nmelb.ngv.vic.gov.au Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAYABgBIAAAACAAIAE4AAAAKAAoAVgAAAAAA AACQAAAABgIAAgUBKAoAAAAPUFRIQUxPR0JBVFRPVVJXUzAwMDAzMDU3QuQQzi7EBLQZbgsP 0+MGvqzvKpp07wx6AtRm+Kfpa6OAEshFEiOYHG80jAZ9cilK HTTP/1.0 407 Proxy Authentication Required Server: squid/2.5.STABLE3 Mime-Version: 1.0 Date: Thu, 23 Jun 2005 04:16:30 GMT Content-Type: text/html Content-Length: 1407 Expires: Thu, 23 Jun 2005 04:16:30 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM X-Cache: MISS from pthalo.ngv.vic.gov.au Proxy-Connection: close <contents of: /usr/share/squid/errors/English/ERR_CACHE_ACCESS_DENIED> ============================================ Here is successful one: ============================================ GET http://intranet.nmelb.ngv.vic.gov.au/email.html HTTP/1.0 Accept: */* Accept-Language: en-au Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogMAAwAyAAAACgAKACgAAAAFASgKAAAAD1dTMDAwMDEzMDdCT0g= If-Modified-Since: Fri, 29 Nov 2002 00:32:42 GMT If-None-Match: "110aad-29fc-3de6b5aa" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: intranet.nmelb.ngv.vic.gov.au Proxy-Connection: Keep-Alive HTTP/1.0 407 Proxy Authentication Required Server: squid/2.5.STABLE3 Mime-Version: 1.0 Date: Thu, 23 Jun 2005 04:24:25 GMT Content-Type: text/html Content-Length: 1407 Expires: Thu, 23 Jun 2005 04:24:25 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAASAgAA6/LNel8izEwAAAAAAAAAAAAAAAAwAAAA X-Cache: MISS from pthalo.ngv.vic.gov.au Proxy-Connection: keep-alive <contents of: /usr/share/squid/errors/English/ERR_CACHE_ACCESS_DENIED> GET http://intranet.nmelb.ngv.vic.gov.au/email.html HTTP/1.0 Accept: */* Accept-Language: en-au Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAMAAwBIAAAACQAJAEsAAAAKAAoAVAAAAAAA AACOAAAABgIAAgUBKAoAAAAPQk9IVE1DVEVTVEVSV1MwMDAwMTMwN3UxgOW68LPTcUXvVVBQ XJhItO0b1IdGDZTgecCgXf/6tqcFOSaQxJl17dpADINEXg== If-Modified-Since: Fri, 29 Nov 2002 00:32:42 GMT If-None-Match: "110aad-29fc-3de6b5aa" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: intranet.nmelb.ngv.vic.gov.au Proxy-Connection: Keep-Alive HTTP/1.0 304 Not Modified Date: Fri, 03 Jun 2005 04:09:34 GMT Content-Type: text/html Last-Modified: Fri, 29 Nov 2002 00:32:42 GMT Age: 173370 X-Cache: HIT from pthalo.ngv.vic.gov.au Proxy-Connection: keep-alive
